Logo Questions Linux Laravel Mysql Ubuntu Git Menu
 

Is urn:oasis:names:tc:SAML:2.0:nameid-format:emailAddress a valid NameID format?

Tags:

saml

saml-2.0

In the OASIS specs I can read the following valid nameid-formats:

  • urn:oasis:names:tc:SAML:2.0:nameid-format:persistent
  • urn:oasis:names:tc:SAML:2.0:nameid-format:transient
  • urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress
  • urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified
  • urn:oasis:names:tc:SAML:1.1:nameid-format:X509SubjectName
  • urn:oasis:names:tc:SAML:1.1:nameid-format:WindowsDomainQualifiedName
  • urn:oasis:names:tc:SAML:2.0:nameid-format:kerberos
  • urn:oasis:names:tc:SAML:2.0:nameid-format:entity

but can't find urn:oasis:names:tc:SAML:2.0:nameid-format:emailAddress.

If I do a fast google search, this format appears several times, including a documentation of Cisco Spark.

Can someone clarify to me this issue? It seems that someone invented this nameid-format and now some IdP/SP using it.

like image 751
smartin Avatar asked Jul 29 '15 19:07

smartin


People also ask

What is NameID-format in SAML?

Name ID FormatDefines the name identifier formats supported by the identity provider. Name identifiers are a way for providers to communicate with each other regarding a user. Single sign-on interactions support the following types of identifiers: urn:oasis:names:tc:SAML:2.0:nameid-format:persistent.

Is NameID required in SAML?

Even though interoperability profiles "require" a NameID, the SAML 2.0 standard does not require it to be present in assertions.

What is NameID-format persistent?

Persistent aliases. Use the persistent name identifier format if you want a user to log in at the identity provider as one user, but log in at the service provider as a different user. Before you can use this name identifier format, you must link the user at the identity provider with the user at the service provider.


1 Answers

@smartin -- You appear to work at OneLogin and I recently submitted a ticket about this :-). I think your hunch is right; someone saw that there is a SAML 1.1 and a SAML 2.0 and assumed that the 1.1 in urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress was a mistake.

Section 8 of the specification document mentions this at the beginning:

The following sections define URI-based identifiers for common resource access actions, subject name identifier formats, and attribute name formats. Where possible an existing URN is used to specify a protocol. In the case of IETF protocols, the URN of the most current RFC that specifies the protocol is used. URI references created specifically for SAML have one of the following stems, according to the specification set version in which they were first introduced:

urn:oasis:names:tc:SAML:1.0:
urn:oasis:names:tc:SAML:1.1:
urn:oasis:names:tc:SAML:2.0:

http://docs.oasis-open.org/security/saml/v2.0/saml-core-2.0-os.pdf

As the e-mail address identifier was introduced back in SAML v1.1, that would make sense. Check out section 7 intro and 7.3.2 here (https://www.oasis-open.org/committees/download.php/3406/oasis-sstc-saml-core-1.1.pdf).

So, tl;dr: urn:oasis:names:tc:SAML:2.0:nameid-format:emailAddress is in conflict with the SAML 1.1 and SAML 2.0 specs.

like image 87
Wes Avatar answered Dec 31 '22 20:12

Wes